Desktop and mobile application are trojans

Lukaka

New member
Hi there, I work in IT and being an emergency readiness enthusiast have been a member here for a while.

Just recently I downloaded the desktop warning system desktop and mobile applications. Just after doing so, some issues arose with my computer. The program was also using high amounts of my CPU and was uploading and downloading quite a bit. Its the uploading I'm worried about. The total upload data in one day reached over half a gig. The domains it contacted were all defconwarningsystem.com, but it was over a few different unique IP addresses. I continued monitoring the program and it continued to do numerous fishy things.

-It requested access to a system service
-Accessed the group policy service and sent request codes to it
-Read my GUID and MAC address
-Ran code to view the taskbar, which, although could be used to run files as a user, might also be the program's odd way of checking for clicks on the task bar or creating defcon popups.
-Changed its file tracing settings as seen here:
Code:
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLEFILETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLECONSOLETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "FILETRACINGMASK"; Value: "0000FFFF")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "CONSOLETRACINGMASK"; Value: "0000FFFF")

On mobile I don't get as much info but in one day it uploaded almost as much as it downloaded, about 60kb (This was read with glasswire).
All in all, I'm giving the owners the benefit of the doubt as they probably outsourced the creation of the programs and are unaware of this issue.
I strongly recommend to anyone to remove the programs for now, and I recommend the owner to remove the program from the downloads page. In the meantime I will be creating a script for windows that checks the level (an open source bat file) which I will post in response to this thread.

I want to emphasize that I am not accusing anyone of anything, I'm just trying to find answers. Thanks.
 

DEFCON Warning System

Director
Staff member
Lukaka said:
Just recently I downloaded the desktop warning system desktop and mobile applications. Just after doing so, some issues arose with my computer. The program was also using high amounts of my CPU and was uploading and downloading quite a bit. Its the uploading I'm worried about. The total upload data in one day reached over half a gig. The domains it contacted were all defconwarningsystem.com, but it was over a few different unique IP addresses. I continued monitoring the program and it continued to do numerous fishy things.

-It requested access to a system service
-Accessed the group policy service and sent request codes to it
-Read my GUID and MAC address
-Ran code to view the taskbar, which, although could be used to run files as a user, might also be the program's odd way of checking for clicks on the task bar or creating defcon popups.
-Changed its file tracing settings as seen here:
Code:
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLEFILETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLECONSOLETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "FILETRACINGMASK"; Value: "0000FFFF")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "CONSOLETRACINGMASK"; Value: "0000FFFF")

We did outsource both programmes.

I have the desktop app running now and it is just sitting there quietly. It is designed to poll our server every 10 minutes, and that only pulls a one byte file.

It also queries Twitter every 10 minutes to see if any tweets have been sent by @DEFCONWSALERTS. I don't really know how that part of it works.

It shouldn't be uploading anything. As far as I know, it isn't even capable of that.

I'll ask the author to look over your post and see what he says.
On mobile I don't get as much info but in one day it uploaded almost as much as it downloaded, about 60kb (This was read with glasswire).

The mobile app polls the same one byte file every 10 minutes. It doesn't upload anything. I have no answer as to why you are seeing data being uploaded.

Like I said, I'll ask the desktop app author about your inquiry.
 

DEFCON Warning System

Director
Staff member
On a thought, you may want to check the file size. It is supposed to be 452,096 bytes size and 454,656 bytes size on disk.

If those numbers are different, maybe you might have a virus that attached itself to the programme.
 

Lukaka

New member
DEFCONWarningSystem said:
On a thought, you may want to check the file size. It is supposed to be 452,096 bytes size and 454,656 bytes size on disk.

If those numbers are different, maybe you might have a virus that attached itself to the programme.

I checked and the main exe is taking up less data, and the overall files are taking up 77,240,798 bytes.

I looked into the Windows event history and found no changes to the files that were not self originated.

Malwarebytes finds no issues on my system.

If you could have the creator make it open source on github it would make everyone happy Im sure.

I continued to analyze the programs usage and it has not uploaded any more data since that day, although it has continued to query my guuid.
 

DEFCON Warning System

Director
Staff member
Lukaka said:
DEFCONWarningSystem said:
On a thought, you may want to check the file size. It is supposed to be 452,096 bytes size and 454,656 bytes size on disk.

If those numbers are different, maybe you might have a virus that attached itself to the programme.

I checked and the main exe is taking up less data, and the overall files are taking up 77,240,798 bytes.

I looked into the Windows event history and found no changes to the files that were not self originated.

Malwarebytes finds no issues on my system.

Here is the reply I got from the author.
I think that the executable of those who signaled such issues is infected by malware, and I will try to explain why.

1. On every application's startup the software downloads the file version from Defcon web site (ver.dat), it is a small text file containing the latest version realized to show when it's time to upgrade the software. We use a simple Webclient request and the download is only 1 Kbyte, so it cannot request big amount of CPU resources. (DEFCON Warning System - The file is only a couple bytes in size. The remaining data is likely overhead)

2. Periodically, based on users setting, we download the new tweets, using an instance of the Gecko browser developed by Mozilla to download its content from the link https://twitter.com/DEFCONWSALERTS?ref_src=twsrc%5Etfw

3. We don't use any Windows services.

4. We don't use any Windows Group Policies.

5. We don't read any GUID or MAC address.

6. To show Defcon popups we use a component developed by Microsoft, the NotifyIcon with the command ShowBalloonTip, so we don't directly use the Taskbar.

7. We don't use Windows Registry. Application settings are written in a simple XML file stored into User folder.

8. We never read or upload any files or information from the host PC.

With a fast research on the internet it is simple to find several malware using the mentioned behavior, so I think the best solution is to uninstall the Defcon app, proceed with a PC scan using a good antivirus software and then download the latest version and proceed with a new installation.

I have just now downloaded the Defcon app posted online, using Eset Internet Security to check its content and it is ok.

DEFCON Warning System - This is the exact reply the author gave me. I made only a couple small edits to clean up the English.
Lukaka said:
If you could have the creator make it open source on github it would make everyone happy Im sure.

Unfortunately, the software is proprietary, so we are unable to do that.

Hope all that helps.
 

Lukaka

New member
I just want to say thank you for taking this seriously, contacting the developer, and not flat out deleting this post.
I'm confused by what the developer said, as I attempted to download and run the program within a sandbox and got the same result. However, I was able to reproduce the exact same environment in a sandbox today and found nothing abnormal. Comparing the file with the one on my computer finds no differences. I'm personally weary of using the program and will stop using it for now, however I will keep an eye on my system and update you all here if I find any explainations. You are probably right that I somehow contaminated the results. I still went ahead and created my open source version of the program, do with it what you would like: https://github.com/ITCMD/defcon-level I give you full permission to do whatever. It was an easy project and I was almost done with it anyways.

All in all your reaction to this puts my mind at peace enough to not suspect anything mischievous going on (while I still recommend keeping an eye out for more stuff like this). Thanks again.

Edit: Link was broken, fixed now. Apparently github now makes repositories private by default :/
 

DEFCON Warning System

Director
Staff member
Sorry to hear about the problems you are having. Beyond a virus, I really have no explanation. I have to admit that the programming of today is beyond me, even though I used to program a long time ago. We're talking Fortran and Assembly. Not quite up to what today does.

We'll keep looking into this as well.
 
Top